To be clear the air, only users of Visa cards both credit and debit are vulnerable to this attack. MasterCard has proved to be a tougher nut to crack.

Before publishing their findings in a paper published in IEEE Security & Privacy 2017, the researchers informed Visa about the gaping hole in the Visa cards security but they taught that it was a joke.

The exact problem that the researchers have found stem from two oversights in Visa’s implementation. The first, which should be the gatekeeper, is that Visa doesn’t limit how many failed attempts are made before it locks down the account from further access. This means that computer programs can try to brute force guessing a card’s credentials without fear of being locked out. MasterCard, in contrast, limits it to 10 attempts, no matter what website or e-shop is used.

The second error allows for what is termed a Distributed
Guessing Attack. In a nutshell, different online merchants sometimes ask
for different card data fields, revolving around card number, expiry
date, CVV, and credit card security code. This means that, when taking
into account the infinite times a computer program can guess a
combination of those fields, hackers can piece together correct guesses
from different websites to form a complete and valid credit card
picture.

You might think that all this is complicated but, for a
computer, all it takes is 6 seconds. Hackers don’t even need to have the
credit card number, as they can also brute force guessing a valid one.
Guessing expiry dates only takes 60 attempts, which can take place in a
split second, because credit cards usually only issue cards valid for 60
months. And the three-digit CVV only takes less than 1,000 attempts.
All of these can be tried numerous times without repercussions from
Visa.

Sadly, the researchers say there is no silver bullet to this problem
other than due vigilance on the user’s part. On Visa’s side, however, it
would do well for the organization to put a hard limit on failed
attempts, just to make it harder, though not impossible, to pilfer
credit card data.